Integration using CEF Logs
Integration using CEF Logs
ITM On-Prem (ObserveIT) CEF Logs let you integrate with SIEMs and other log aggregation systems.
If you need log data that is not currently available through the RESTful API, or you don’t have a developer available to write custom integration code, then ITM On-Prem (ObserveIT) CEF logs are an alternative method for loading your ITM On-Prem (ObserveIT) data into a SIEM, UEBA tool or other log aggregation system.
Log files are integrated into the system. The SIEM integration parses the ITM On-Prem (ObserveIT) log files and create events, triggers, and alerts based on text strings of information that appear inside the log file. The log files are forwarded to the remote system and ingested. Many tools, such as LogRhythm and McAfee ESM, have built-in support or a plugin available for parsing these ITM On-Prem (ObserveIT) CEF files. Integrated log data can be viewed, and videos of recorded sessions can be replayed directly from within the external SIEM dashboard or report environment.
To select the logs you want, see Configuring CEF Log Integration.
Log files must be located in a library to which the ITM On-Prem (ObserveIT) Notification Service user has write permissions. By default, the log file location is C:\Program Files(x86)\ObserveIT\NotificationService\LogFiles\ArcSight. The default log file name is Observeit_activity_log.cef.
Following is an example of an Observeit_activity_log.cef file showing user activity, DBA activity, and alerts activity data:
The following example of an Observeit_activity_log.cef file shows audit activity data:
Note that in the CEF header, each data type is identified by a unique ID:
https://documentation.observeit.com/configuration_guide/auditing_configuration_changes.htm
-
User activity = 100
-
DBA activity = 200
-
System events = 300
-
Alerts activity = 400
-
Audit activity = 500
-
In-App elements = 600
The maximum CEF file size is 256GB.
If the file size reaches 50%, 75% or 99% or 256GB, a system event is generated. (For details about events, including severity, event name and category, see System Event Types)
| Code | Description |
|---|---|
|
1405 |
File size reached 0.5 of the maximum size defined. |
|
1406 |
File size reached 0.75 of the maximum size defined. |
|
1407 |
File size reached 0.99 of the maximum size defined. |
|
1408 |
File past the maximum size defined. |